CN100379315C - Method for carrying out authentication on user terminal - Google Patents

Method for carrying out authentication on user terminal Download PDF

Info

Publication number
CN100379315C
CN100379315C CN 200510077476 CN200510077476A CN100379315C CN 100379315 C CN100379315 C CN 100379315C CN 200510077476 CN200510077476 CN 200510077476 CN 200510077476 A CN200510077476 A CN 200510077476A CN 100379315 C CN100379315 C CN 100379315C
Authority
CN
China
Prior art keywords
2g
user terminal
binding information
identity
authentication
Prior art date
Application number
CN 200510077476
Other languages
Chinese (zh)
Other versions
CN1802016A (en
Inventor
朱奋勤
黄迎新
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN 200510077476 priority Critical patent/CN100379315C/en
Publication of CN1802016A publication Critical patent/CN1802016A/en
Application granted granted Critical
Publication of CN100379315C publication Critical patent/CN100379315C/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0876Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/02Network-specific arrangements or communication protocols supporting networked applications involving the use of web-based technology, e.g. hyper text transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements or protocols for real-time communications
    • H04L65/10Signalling, control or architecture
    • H04L65/1013Network architectures, gateways, control or user entities
    • H04L65/1016IMS

Abstract

本发明公开了一种对用户终端进行鉴权的方法。 The present invention discloses a method of authenticating the user terminal. 应用业务实体接收到来自2G用户终端的包含用户身份标识的接入请求后,根据接入请求中的用户身份标识,从HSS获取由该2G用户终端的IP地址及其身份标识构成的绑定信息,并保存该绑定信息;应用业务实体判断自身保存的该2G用户终端的IP地址及其身份标识的绑定信息与发起接入请求的2G用户终端的IP地址及其身份标识的绑定信息是否相匹配,如果匹配,则该2G用户终端通过鉴权,否则该2G用户终端不能通过鉴权。 After the application service entity receives the access request comprising a user identity from the user terminal 2G, according to the access request user identity, obtaining binding information composed of the IP address and the identity of the user terminal from the HSS 2G and saving the binding information; application service entity the binding information of the IP address determines 2G user terminal IP address binding information stored by the user terminal 2G and the identity of the access request and the identity of the matches, if the match, then the user terminal 2G authentication, otherwise the user terminal can not 2G authentication. 应用本发明对直接接入应用业务实体的2G用户终端进行鉴权,既保证了合法的用户能够接入,又保证了网络的安全。 The present invention is applied to a terminal 2G user direct access to the application service entity authenticating, both to ensure the legitimate users to access, but also to ensure the security of the network. 特别对于早期应用的基于IMS的业务,能够正常部署和运行。 Especially early application of IMS-based services, to be able to properly deploy and run.

Description

对用户终端进行鉴权的方法技术领域本发明涉及移动通信技术领域,特别是指对直接接入应用业务实体的2G用户终端进行鉴权的方法。 TECHNICAL FIELD authenticating the user terminal according to the present invention relates to the technical field of mobile communications, and particularly to a method for direct access to a user terminal 2G application service entity for authentication. 背景技术随着宽带网络的发展,移动通信不仅仅局限于传统的话音通信,通过与呈现业务(presence)、短消息、网页(WEB)浏览、定位信息、推送业务(PUSH)以及文件共享等数据业务的结合,移动通信能够实现音频、视频、 图片和文本等多种媒体类型的业务,以满足用户的多种需求。 With the development of broadband networks, mobile communications is not limited to traditional voice communication, through the presence service (presence), short messaging, Web (WEB) browser, location information, push services (PUSH), and file sharing data the combined business, mobile communications can achieve a variety of media types of business of audio, video, pictures and text, in order to meet the various needs of users. 第三代移动通信标准化伙伴项目(3GPP)以及第三代移动通信标准化伙伴项目2 (3GPP2)等组织都先后推出了基于IP的多媒体子系统(IMS) 架构,其目的是在移动网络中使用一种标准化的开放结构来实现多种多样的多媒体应用,以给用户提供更多的选择和更丰富的感受。 Third Generation Partnership Project (3GPP) and Third Generation Partnership Project 2 (3GPP2) and other organizations have introduced IP-based Multimedia Subsystem (IMS) architecture, the purpose of use in a mobile network kinds of standardized open architecture to implement a variety of multimedia applications to give users more choices and richer experience. IMS架构叠加在分组域网络(PS-Domain)之上,其与鉴权相关的实体包括呼叫状态控制功能(CSCF)实体和归属签约用户服务器(HSS)功能实体。 IMS architecture is superimposed on a packet domain network (PS-Domain), which is associated with the authentication entity comprises a call state control function (CSCF) entity and a Home Subscriber Server (HSS) functional entity. CSCF又可以分成服务CSCF ( S-CSCF)、代理CSCF (P-CSCF)和查询CSCF (I-CSCF)三个逻辑实体,该三个逻辑实体可能是不同的物理设备,也可能是同一个物理设备中不同的功能模块。 CSCF can be divided into services and CSCF (S-CSCF), Proxy CSCF (P-CSCF), and inquiry CSCF (I-CSCF) three logical entities, the three logical entities may be different physical devices, or it may be the same physical apparatus different functional modules. 其中,S-CSCF是IMS的业务控制中心, 用于执行会话控制,维持会话状态,管理用户信息,产生计费信息等;P-CSCF 是终端用户接入IMS的接入点,用于完成用户注册,服务质量(QoS)控制和安全管理等;I-CSCF负责IMS域之间的互通,管理S-CSCF的分配,对外隐藏网络拓朴结构和配置信息,并产生计费数据等。 Wherein, S-CSCF is the service control center of IMS, used to perform session control, maintaining session status, managing user information and generating charging information or the like; P-CSCF to access the IMS end user access point for the user to complete registration, quality of service (QoS) control and security management; I-CSCF is responsible for interworking between IMS domains, managing S-CSCF assignment, hiding network topology and the external configuration information, and generate charging data. HSS是非常重要的用户数据库,用于支持各个网络实体对呼叫和会话的处理。 HSS user database is very important to support each network entity handling of calls and sessions. IMS在初始推出(R5版本协议)时只考虑在第三代移动通信网络使用。 Release at the initial IMS (R5 version protocol) to consider only the third generation mobile communication network. 由于IMS上的业务非常丰富,所以出现了运营商在2G的网络上使用IMS 的需求。 Since the traffic on the IMS very rich, hence the use of IMS operators in the 2G network requirements. 但在2G的网络上是无法支持基子3G网络的IMS的姿仝相关功能的,例如五元组鉴4又/网络认证等,为解决2G用户4吏用IMS网络面临的用户鉴权问题,3GPP提出了一种过渡鉴权方案,该方案为2G上的IMS业务提供一定的安全功能。 But on the 2G network is unable to support IMS-based sub 3G networks pose with related functions, such as quintuple Kam 4 and / network authentication, etc., to solve the user authentication problem 2G users 4 officials with IMS networks face, 3GPP It proposes a transitional authentication program, which provides some security features for IMS services on 2G. 当用户支持3G鉴权方案时,再采用完整的基于3G 的鉴权方案对接入用户进行鉴权。 When the user authentication program support 3G, then to full 3G-based authentication scheme to authenticate the user's access. 这样,无论是2G用户还是3G用户,都可以在鉴权通过后应用IMS中的业务,通常,将过渡鉴权方案称为Early IMS 的鉴权方式,将完整的基于3G的鉴权方案称为Full 3GPP IMS鉴权方式。 In this way, both the user 2G or 3G users, IMS can be applied in business after authentication by, typically, the transition authentication program called Early IMS authentication manner, based on a complete authentication scheme is called 3G Full 3GPP IMS authentication method. 对于任何一个2G或3G的UE,其既可以使用基于IMS的应用服务器(AS)所提供的业务,如使用presence业务,也可以对基于IMS的AS或AS的代理(AP)进行一些简单的管理操作,如管理AS或AP上的一些组列表(group list)信息等。 For any 2G or 3G of the UE, which may be used based on the IMS application server (AS) provided by the service, such as the use of presence service may be some simple management of the IMS-based AS or AS Proxy (AP) operations, such as aS or some management list (group list) information on the AP. 当一个UE需要使用基于IMS的AS所提供的业务时,其需要首先接入3GPP分组域,然后经过IMS的鉴权后才能使用AS所提供的业务,此时, 对于2G的UE,IMS将使用Early IMS的鉴权方式进行鉴权,对于3G的UE, IMS将使用Full 3GPP IMS的鉴权方式进行鉴权。 When a UE needs to use the IMS-based AS services provided, which need to access 3GPP packet domain, and then after the IMS authentication to use the service provided by AS, In this case, the 2G UE, IMS uses Early IMS authentication mode performs authentication for the 3G UE, IMS will use the Full 3GPP IMS authentication mode for authentication. 当一个UE需要对基于IMS的AS或通过AP对AS进行管理搮作时, 其仍然要首先接入3GPP分组域,然后该UE可通过Ut接口直接接入AS或AP,因而IMS不再对该UE进行鉴权。 When a UE needs the IMS-based AS or managed by the AS as Li AP, which still must first access 3GPP packet domain, then the UE can directly access the AS or AP through the Ut interface, and thus no longer the IMS UE authentication. 同时在现有的协议中规定,该直接接入AS或AP的UE采用通用鉴权框架(GAA)的方式鉴权后,才能接入AS或AP。 While conventional protocol provides direct access to the AP or AS of UE authentication using a common frame (GAA) manner after the authentication, access to AP or AS. 但是,现有的基于通用鉴权框架(GAA)的鉴权方式是针对3G用户终端的,其不支持对2G用户终端的鉴权,这样,必然会存在这样的情况:2G 用户终端不能接入或2G用户终端不需鉴权就可直接接入。 However, the conventional authentication manner authentication based on a common frame (GAA) is for the 3G user terminal which does not support the 2G authentication for the user terminal, so that inevitably there is a case: the user terminal can not access the 2G or 2G user terminal can directly access without authentication. 如果不让2G用户终端接入,不但使运营商损失很多业务,还会导致用户对运营商的满意度下降。 If you do not let 2G user terminal access, not only enables operators to lose a lot of business, but also lead to user satisfaction with the operator's decline.

如果2G用户终端不需鉴权就可直接接入,显然无法保证AS和整个网络的安全。 If the terminal 2G users can directly access without authentication, apparently unable to ensure the safety of AS and the entire network. 发明内容有鉴于此,本发明的目的在于提供一种对用户终端进行鉴权的方法,以对直接接入应用业务实体的2G用户终端实现鉴权。 SUMMARY OF THE INVENTION Accordingly, an object of the present invention is to provide a method for authenticating the user terminal, user terminal to directly access the 2G application service entity authentication implementations. 为达到上述目的,本发明的技术方案是这样实现:一种对用户终端进行鉴权的方法,适用于直接接入应用业务实体的2G 用户终端,接入3GPP的2G用户终端已获得IP地址,且在用户归属网络服务器HSS中已保存由该2G用户终端的IP地址及其身份标识构成的绑定信息,该方法还包括以下步骤:a、 2G用户终端向应用业务实体发起接入请求,该请求中包含自身的身份标识;应用业务实体根据接收到的接入请求,从HSS获取由该2G用户终端的IP地址及其身份标识构成的绑定信息,并保存该绑定信息;b、 应用业务实体判断自身保存的该2G用户终端的IP地址及其身份标识的绑定信息与发起接入请求的2G用户终端的IP地址及其身份标识的绑定信息是否相匹配,如果匹配,则该2G用户终端通过鉴权,否则该2G用户终端不能通过鉴权。 To achieve the above object, the technical solution of the present invention is implemented as: a method for authenticating a user terminal, a user terminal suitable for 2G direct access to the application service entity, the access 3GPP 2G user terminal has obtained an IP address, saved and binding information composed of the IP address and the user identity of the 2G network terminal at a subscriber home server HSS, the method further comprising the steps of: a, 2G user terminal initiates an access request to the application service entity, the the request including its own identity; application service entity, binding information composed of the acquired IP address and the user identity of the 2G access terminal from the HSS according to the received request, and stores the binding information; B, application service entity determines whether the binding information of the IP address and the identity of the user terminal 2G binding information originating IP address and access to identity itself to save the user terminal requests 2G match, if match, the 2G authentication by the user terminal, otherwise, the user terminal can not 2G authentication. 较佳地,所述2G用户终端发起的接入请求中还包括鉴权方式标识,所述鉴权方式标识为早期的通用鉴权框架鉴权方式时,所述应用业务实体通过执行用户身份初始检查验证的实体BSF从HSS获取该2G用户终端的IP地址及其身份标识的绑定信息。 Preferably, the 2G access request initiated by the user terminal further comprises an authentication mode identifier, the authentication mode is identified when the early general authentication framework for authentication manner, the application service entity by performing a user identity initial check validation entity BSF 2G user terminal obtains the binding information from the HSS and the identity of the IP address. 较佳地,所述应用业务实体通过BSF从HSS获取该2G用户终端的IP 地址及其身份标识的绑定信息,并保存该绑定信息的过程包括以下步骤:应用业务实体向BSF发送请求鉴权信息的消息,该请求消息中包含用户终端的身份标识,BSF接收到该请求后,根据请求中的用户终端的身份标识向HSS请求该2G用户终端的IP地址及其身份标识的绑定信息,并将得到的绑定信息直接返回给应用业务实体,应用业务实体保存接收到的绑定信息;所迷BSF向HSS请求绑定信息的消息中包舍鉴杈方棄字段,该鉴杈方案字段指示为early IMS 。 Preferably the process, the application service entity acquiring the binding information of the IP address and the identity of the user terminal 2G through the BSF from the HSS, and saves the binding information comprises the steps of: application service entity sends a request to the BSF Kam right information message, the request message includes the identity of the user terminal, after receiving the request BSF, according to the identity of the user terminal identifier in the request to the HSS requesting an IP address binding information and the identity of the user terminal 2G and binding information obtained directly returned to the application service entity, the application service entity stores the received binding information; BSF fans requested message to the HSS the binding information packet discriminator rounded prong party abandoned fields, the program discriminator pitchfork fields indicated as early IMS. 较佳地,所述BSF为早期的仅具备查询功能的Early-BSF,或支持完全3G功能且具备Early-BSF功能的BSF。 Preferably, the BSF Early-BSF function query includes only the early, or support function and full 3G includes BSF Early-BSF function. 较佳地,当所述应用业务实体通过BSF向HSS请求绑定信息时,所述应用业务实体与已保存绑定信息的HSS属于相同或不同的归属网络。 Preferably, when the application service entity the binding information request to the HSS via the BSF, the application service entity and the HSS has saved the binding information of the same or different home networks. 较佳地,所述2G用户终端发起的接入请求中还包括鉴权方式标识, 所述鉴权方式标识为直接鉴权方式时,所述应用业务实体直接向HSS发送绑定信息请求消息,接收并保存HSS返回的该2G用户终端的IP地址及其身份标识的绑定信息。 Preferably, when an access request initiated by the user terminal 2G further includes identifying an authentication mode, the authentication mode identifier direct authentication manner, the application service entity the binding information request message sent to the HSS directly, receive and store IP addresses and their binding information returned by the HSS identity of the user terminal 2G. 较佳地,所述应用业务实体向HSS发送的请求消息由用户数据请求UDR消息承载,且该消息中的属性信息指明请求绑定信息;HSS给应用业务实体返回的响应消息由用户数据应答UDA消息承栽,且该消息中的属性信息指明请求绑定信息。 Preferably, the application request message to the service entity sending the UDR message carried by the HSS subscriber data request, and the attribute information of the request message indicates the binding information; HSS in response to the application service entity message response returned by the user data UDA message bearing plant, and attribute information of the request message indicates binding information. 较佳地,当所述应用业务实体直接向HSS请求绑定信息时,所述应用业务实体与已保存绑定信息的HSS属于相同的归属网络。 Preferably, when the application service entity directly binding information request to the HSS, the application service entity and the HSS has saved the binding information belonging to the same home network. 较佳地,所述2G用户终端向应用业务实体发起的接入请求由基于HTTP 协议的请求消息HTTP GET承载;所述请求消息中的鉴权方式标识由HTTP GET中的用户代理user agent 字段承载。 Preferably, the 2G to the application service entity the user terminal initiates an access request message based on the request by the bearer HTTP protocol HTTP GET; authentication mode in the request message in HTTP GET identified by the user agent field carries the user agent . 较佳地,所述接入请求中的身份标识为用户公共身份标识IMPU;所述应用业务实体从HSS获取的该2G用户终端的IP地址及其身份标识的绑定信息为:接入请求中所包含的IMPU和该2G用户终端的IP地址的对应关系;或发起接入请求的2G用户终端所拥有的所有IMPU和该2G用户终端的IP地址的对应关系。 Preferably, the identity of the access request identifier to a public user identity the IMPU; binding information of the IP address and the identity of the user terminal 2G of the application service entity acquires from the HSS as follows: the access request correspondence between the IP address of the 2G and the IMPU of the user terminal included; or initiating the mapping between IP addresses and the IMPU 2G 2G user terminal a user terminal owned by the access request. :2G用户终端与应用业务实体之间建立传输层安全TLS隧道,然后再执行步骤a。 : 2G user establishes a transport layer security TLS tunnel between the terminal and the application service entity, then perform step a. 较佳地,所述应用业务实体为应用服务器AS或应用服务器代理AP, 本发明的关键是:应用业务实体接收到来自2G用户终端的包含用户身份标识的接入请求后,根据接入请求中的用户身份标识,从HSS获取该2G 用户终端的IP地址及其身份标识的绑定信息;之后,应用业务实体判断自身保存的该2G用户终端的IP地址及其身份标识的绑定信息与发起接入请求的2G用户终端的IP地址及其身份标识的绑定信息是否相匹配,如果匹配, 则该2G用户终端通过鉴权,否则该2G用户终端不能通过鉴权。 Preferably, the application service entity is an application server proxy AP or application server AS, the present invention is critical: the application service entity receives the access request comprising a user identity of a user terminal from a 2G, according to the access request the user identity, IP address and its binding information to obtain the identity of the user terminal 2G from HSS; after application business entity binding information to determine the IP address and identity of their own to save the 2G user terminal and initiate if the binding information of the IP address and the identity of the user terminal an access request 2G match, if a match, then the user terminal 2G authentication, otherwise the user terminal can not 2G authentication. 应用本发明,实现了对直接接入应用业务实体的2G用户终端进行鉴权,既保证了合法的用户能够接入,又保证了网络的安全。 Application of the present invention, to achieve direct access to a terminal 2G user application service entity authenticating, both to ensure the legitimate users to access, but also to ensure the security of the network. 特别对于早期应用的基于IMS 的业务,能够正常部署和运行。 Especially early application of IMS-based services, to be able to properly deploy and run. 附图说明图1所示为应用本发明的实施例一的流程示意图; 图2所示为应用本发明的实施例二的流程示意图。 BRIEF DESCRIPTION OF DRAWINGS FIG. 1 is a flow schematic embodiment of a present invention is applied; FIG. 2 is a schematic view of the procedure of Example II of the present invention is applied. 具体实施方式下面结合附图及具体实施例对本发明再做进一步地详细说明。 Specific embodiments of the present invention do further described in detail specific embodiments and the accompanying drawings below. 图1所示为应用本发明的实施例一的流程示意图。 Figure 1 is a flow diagram of an embodiment of a present invention is applied. 在本实施例中,2G的UE已接入到3GPP分组域,并获得分组网络的分组网络网关节点(GGSN) 为其分配的IP地址,同时GGSN将该UE的用户的电话号码(MSISDN)、 分组域的国际移动用户身份标识(IMSI)及IP地址等相关信息发送给HSS, HSS通过用户的MSISDN或IMSI查找到用户在IMS系统中的身份标识IMPI,并将该UE的IMPI、该IMPI所对应的用户的公共身份标识(IMPU)、 MSISDN以及该UE的IP地址等信息进行绑定保存。 In the present embodiment, 2G UE has access to the 3GPP packet domain, the packet network gateway and access network node of a packet (GGSN) assigned IP address, while the user of the UE GGSN telephone number (the MSISDN), an international mobile subscriber identity packet domain (IMSI), and IP address and other relevant information to the HSS, HSS finds the user identity IMPI in the IMS system by the user's MSISDN or IMSI, IMPI of the UE and the IMPI is corresponding to the user's public identity (IMPU), MSISDN and IP address information of the UE bound to save. 本实施例以2G的UE 接入AS为例进行说明。 In this embodiment, AS 2G UE accesses an example will be described. 步骤101, 2G的UE向AS发起接入请求,该请求中包含该UE自身的身份标识,如IMPU;该请求消息中还包舍自身所支持的鉴权方式标识,在现有基于Http协议的Ut接口,可以利用HttpGET消息中的用户代理( user agent 〉字段来承载该鉴权方式标识,在本实施例中,该2G的UE所支持的鉴权方式为早期应用GAA的Ut接口认证方式,在此,将该鉴权方式的标识记为早期的通用鉴权框架鉴权方式(Early-GAA-Ut),那么该鉴权方式标识Early-GAA-Ut将被添在Http消息中的user agent字段中。步骤102, AS根据接收到的接入请求,判断出请求消息中的鉴权方式标识为Early-GAA-Ut后,AS向执行用户身份初始检查验证的实体(BSF)发送请求鉴权信息的消息,该消息中包含该AS的用户身份标识,本步骤中的BSF可以为早期的仅具备查询功能的Early-BSF,也可以是支持完全3G功能且具有Early-BSF功能的BSF。由于在3G GAA的 Step 101, 2G UE initiates the access request to the AS, the request including the identity of the UE itself, such as the IMPU; authentication mode in the request message further supported by the rounded itself identified, based on the existing protocol Http Ut interface, may be utilized HttpGET message user agent (user agent> field to carry the identity authentication manner, in the present embodiment, the 2G UE supports the authentication mode is the authentication mode Ut interface early application of GAA, here, the identification of the connected authentication manner for early general authentication framework for authentication manner (early-GAA-Ut), then the authentication mode identifier early-GAA-Ut will be added in the message user agent Http field. step 102, aS according to the received access request, determines that the authentication mode request message identifier as the Early-GAA-Ut, aS user to perform an initial check authentication entity (BSF) transmits an authentication request message information, the message contains the aS of user identity, in this step BSF may be early early-BSF includes only the query function, may be supported completely 3G functionality and having a BSF early-BSF function. Since in the 3G GAA 行过程中,AS向BSF请求鉴权信息时,需要携带BSF 分配的用户会话标识(B-TID),而在Early-GAA-Ut鉴权方式中是不存在BSF 分配的B-TID的,因此对于支持完全3G功能且具备Early-BSF功能的BSF, 其接收到来自AS的请求鉴权信息的消息后,可以通过判断该消息中携带的是B-TID还是用户身份标识来区分是正常3G GAA的鉴权方式还是Early-GAA-Ut 的鉴权鉴权方式。步骤103, BSF收到AS的请求鉴权信息的消息,并确定该请求中携带的是用户身份标识后,向HSS请求该UE的IP地址及其身份标识的绑定信息,该请求信息中同样包含UE的身份标识,并且,该向HSS请求绑定信息的消息中包含鉴权方案字段,且该鉴权方案字段中指示为early IMS。步骤104, HSS根据接收到的请求信息中的用户身份标识,查询BSF所需的绑定信息,并将该绑定信息返回给BSF。通常UE所发接入请求中的用户身份标识为IMPU Line process, the authentication request message to the AS when the BSF, BSF requires the user to carry the session identifier allocated (B-TID), and the Early-GAA-Ut authentication mode is absent B-TID BSF allocated, thus for BSF supports full 3G functions and includes Early-BSF function, which after receiving the authentication information request message from the AS, can be distinguished by determining whether the message carries the B-TID or the user identity is normal 3G GAA authentication mode or Early-GAA-Ut authentication authentication manner. step 103, BSF receives the authentication information request message to the AS, and determines whether the request carries the user identity, the HSS requesting the UE binding the IP address and identity information, the request information also includes the identity of the UE and the HSS the binding information request message contained in the authentication scheme field, and indicates the authentication scheme for the field early IMS. step 104, HSS according to the request information received in the user identity, the BSF binding information needed by the query, and returns the binding information to the BSF. typically UE user identity in the access request issued as IMPU 因此,HSS查询绑定信息的过程为:HSS通过收到的IMPU查找与该IMPU所对应的IMPI,以及与该IMPI所对应的IP地址,所迷返回的绑定信息是指IMPU与该UE的IP地址的 Therefore, the process of binding information for HSS query: HSS find the corresponding IMPI IMPU, IMPI and the IP address of the corresponding through IMPU received binding information returned by the fans means IMPU of the UE IP addresses

对应关系。 Correspondence. 如果发起接入请求的UE所携带的用户身份标识是IMPI或IMSI,则HSS 返回的绑定信息是IMPI与IP地址的绑定信息或IMSI与IP地址的绑定信息, 或根据其所应用的网络系统的需要返回需要的IMPI和/或IMPU与该用户终端IP地址的绑定的信息。 If the access request of the UE is carried in the user identity IMPI or IMSI, the HSS returns the binding information is the IMSI or IMPI and the IP address binding information to the binding information and IP addresses, according to which it is applied, or network systems require IMPI and / or IMPU binding information of the IP address of the user terminal needs to return. 也就是说,HSS所返回的绑定信息是发起请求的UE的身份标识与该UE当前所拥有IP地址的对应信息。 In other words, binding information returned by the HSS request is initiated by a UE identity of the UE IP address information corresponding to the current owner. 步骤105, BSF收到该绑定信息后,不进行保存而是将该绑定信息直接转发给AS,这样做的好处是当AS再次向BSF请求绑定信息时,BSF需要到HSS 去查询,从而保证了BSF返回给AS的信息总是最新的。 After step 105, BSF receives the binding information, not to save but the binding information be forwarded directly to the AS, the benefits of doing so is that when AS binding information request to the BSF again, BSF need to HSS to query, thus ensuring the BSF returned to the AS information is always up to date. 步骤106, AS收到绑定信息后保存,之后判断自身保存的该UE的IP地址及其身份标识的绑定信息与该发起接入请求的UE的IP地址及其身份标识的绑定信息是否相匹配,即是否完全相同,如果匹配,则该2G的UE通过鉴权,否则该2G的UE不能通过鉴权。 Step 106, the AS receives the binding information stored, after determining the IP address and binding information UE identity of the UE stored in itself with the access request to the IP address and binding information whether the identity match, i.e., whether identical, if match, the 2G UE is authenticated by, otherwise the UE can not be authenticated. 2G. 对于上述实施例,当UE的IP地址改变或注销后,GGSN将通知HSS更新该绑定信息或删除该绑定信息。 For the above-described embodiment, when the UE's IP address is changed or canceled, the GGSN notifies the HSS to update or delete the binding information to the binding information. 而当HSS所保存的绑定信息变化后,HSS不需要通知BSF,因为通常在IP地址变化或注销后,基于连接的应用层协议就会断开并在以后重新建立连接,AS在连接断开后将删除保存的绑定信息,当UE重新建立连接时,AS会重新向BSF请求绑定信息。 When the change in binding information stored in HSS, HSS does not need to notify the BSF, because usually the IP address after the change or cancellation, based on application layer protocol and will be disconnected after the connection is reestablished, the AS connection is disconnected Once deleted, binding information stored when the UE re-establish the connection, aS re-binding information request to the BSF. 对于上迷实施例,接收到接入请求的AS与已保存绑定信息的HSS可以属于同一归属网络,也可以属于不同的归属网络。 For the above-embodiment, the access request is received AS and the HSS has stored binding information may belong to the same home network can also belong to different home networks. 图2所示为应用本发明的实施例二的流程示意图。 As shown in FIG. 2 is a schematic view of the procedure of Example II of the present invention is applied. 在本实施例中,l正已接入到3GPP分组域,并获得GGSN为其分配的IP地址,同时GGSN将该UE 的MSISDN、 IMSI及IP地址等相关信息发送给HSS, HSS通过用户的MSISDN 或IMSI查找到用户在IMS系统中的身份标识IMPI,并将该UE的IMPI、该IMPI 所对应的用户的公共身份标识(IMPU )、 MSISDN以及该UE的IP地址等信息进行绑定保存。 In the present embodiment, l n has access to the 3GPP packet domain, and obtain an IP address assigned to the GGSN, and the GGSN sends MSISDN, IMSI, and IP address of the UE and other related information to the HSS, HSS subscriber's MSISDN by find IMSI or user identity IMPI in the IMS system, the UE and the IMPI, the IMPI corresponding to the public user identity (IMPU), MSISDN and UE IP address and other information saved bind. 本实施例以2G的UE接入AS为例进行说明。 In this embodiment, AS 2G UE accesses an example will be described. 步骤201, 2G的UE向AS发起接入请求,该请求中包含该UE自身的身份 Step 201, 2G UE initiates the access request to the AS, the identity of the UE itself is included in the request

标识,如IMPU;该请求的消息中还包含自身所支持的鉴权方式标识,在现有基于Http协议的Ut接口,可以利用HttpGET消息中的useragent字段来承栽该鉴权方式标识,在本实施例中,该2G的UE所支持的鉴权方式为应用AS与HSS之间Sh接口的直接鉴权方式,在此,将该鉴权方式的标识记为直接鉴权方式(Ut-Sh-Authentication ),那么该鉴权方式标识Ut-Sh-Authentication将被添在Http消息中的user agent字段中。 Identification, such as the IMPU; the request message further comprises an authentication mode supported by itself identified, Http-based Ut interface in the existing protocol, may be utilized useragent field HttpGET message to the authentication mode identifier bearing plant, in the present embodiment, the 2G UE supports the authentication mode is direct authentication manner Sh interface between the aS and the HSS, in this case, the identity authentication manner referred to as a direct authentication mode (Ut-Sh- authentication), then the identity authentication manner Ut-Sh-authentication will be added in the user agent field of the Http message. 步骤202, AS根据接收到的接入请求,判断出请求消息中的鉴权方式标识为Ut-Sh-Authentication后,直接通过Sh接口向HSS发送请求该UE的IP地址及其身份标识绑定信息的消息。 Step 202, AS according to the received access request, determines that the authentication mode request message identifier as the Ut-Sh-Authentication, directly through the Sh interface to the HSS requesting an IP address and send the identity information of UE binding news. 该请求消息中同样包含用户身份标识信息.通常,AS通过Sh接口向HSS发送的请求消息由用户数据请求(UDR, User-Data-Request )消息来承载,且通过该请求消息中的属性信息Avp (Attribute-Value Pair)来描述请求用户的何种数据。 The request message also includes user identification information. Typically, the AS over the Sh interface request message sent to the HSS is carried by a user data request (UDR, User-Data-Request) message, and by the attribute information Avp the request message (Attribute-Value Pair) to describe what data requesting user. 在本实施例中,通过增加要求绑定地址信息的Avp属性,来实现通过Sh接口请求地址绑定信息。 In this embodiment, the binding property Avp address information by increasing requirements to fulfill the request address binding information Sh interface. 步骤203, HSS根据接收到的请求信息中的用户身份标识,查询AS所需的绑定信息,并将该绑定信息直接返回给AS。 Step 203, HSS according to the request information received in the user ID, query information required for the AS binding, and the binding information returned directly to the AS. 通常,HSS在Sh接口中使用用户数据应答(UDA, User-Data-Answer)消息作为UDR消息的响应消息。 Typically, HSS subscriber data using the answer (UDA, User-Data-Answer) message as a response message in the UDR message Sh interface. 在本实施例中,由于是对请求绑定消息的响应,因此该UDA消息中也使用步骤202 中增加的Avp属性信息。 In the present embodiment, since the message is the response to the request of the binding, so that the UDA message used in step 202 is also added Avp attribute information. 通常UE所发接入请求中的用户身份标识为IMPU,因此,HSS查询绑定信息的过程为:HSS通过收到的IMPU查找与该IMPU所对应的IMPI,以及与该IMPI所对应的IP地址,所述返回的绑定信息是指IMPU与该UE的IP地址的对应关系。 Process generally UE user access request issued is identified IMPU, therefore, the HSS queries for the binding information: HSS to find the corresponding IMPI IMPU received by the IMPU, IMPI and the IP address of the corresponding , binding information returned by means of the corresponding relationship between the IMPU and the IP address of the UE. 如果发起接入请求的UE所携带的用户身份标识是IMPI或IMSI,则HSS 返回的绑定信息是IMPI与IP地址的绑定信息或IMSI与IP地址的绑定信息, 或根据其所应用的网络系统的需要返回需要的IMPI和/或IMPU与该用户终端IP地址的绑定的信息。 If the access request of the UE is carried in the user identity IMPI or IMSI, the HSS returns the binding information is the IMSI or IMPI and the IP address binding information to the binding information and IP addresses, according to which it is applied, or network systems require IMPI and / or IMPU binding information of the IP address of the user terminal needs to return. 也就是说,HSS所返回的绑定信息是发起请求的UE的身份标识与该UE当前所拥有IP地址的对应信息。 In other words, binding information returned by the HSS request is initiated by a UE identity of the UE IP address information corresponding to the current owner. 步骤204, AS收到绑定信息后保存,之后,判断自身保存的该UE的IP地址及其身份标识的绑定信息与该发起接入请求的UE的IP地址及其身份标识的绑定信息是否相匹配,即是否完全相同,如杲匹配,则该2G的UE通过鉴权, 否则该2G的UE不能通过鉴权。 Step 204, AS after receiving the binding information holding, after determining the IP address and binding information stored by the identity of the binding information and the IP address of the UE identity of the UE initiates the access request matches, i.e. whether identical matches as Gao, by the 2G UE is authenticated, otherwise the UE can not be authenticated. 2G. 对于上述实施例,当UE的IP地址改变或注销后,GGSN将通知HSS更新该绑定信息或删除该绑定信息,而当HSS所保存的绑定信息变化后,HSS不需要通知AS,因为通常在IP地址变化或注销后,基于连接的应用层协议就会断开并在以后重新建立连接,AS在连接断开后将删除保存的绑定信息,当UE重新建立连接时,AS会重新向HSS请求绑定信息。 For the above-described embodiment, when the UE's IP address is changed or canceled, the GGSN notifies the HSS to update or delete the binding information to the binding information, and when the change in binding information stored in HSS, HSS does not need to inform the AS, as usually after a change or cancellation of IP address, it will disconnect based application layer protocol and later re-establish the connection, aS delete binding information stored after disconnection, when the UE re-establish the connection, aS re binding information request to the HSS. 对于上述实施例,接收到接入请求的AS与已保存绑定信息的HSS必须属于同一归属网络。 For the above-described embodiment, the access request is received binding information saved AS and HSS must belong to the same home network. 以上所述实施例均是以UE接入AS为例进行说明的,当然,上述所有实施例中的AS均可以直接替换为AP,由该AP代理AS完成对接入的UE进行鉴权的搮作,且一个AP的后面可以有一个或一个以上的AS。 Li embodiments are based on the UE accesses the AS as an example, of course, all of the above embodiments can be replaced directly AS AP, the AP is done by the agent AS UE to authenticate the access to the above embodiments for, and a back AP may have more than one or aS. 在此,将所有类似AS或AP的实体称为应用业务实体,再有,众所周知,用户的公共身份标识IMPU与私有标识IMPI对应关系是多对一的关系,因此针对上述两个实施例而言,在HSS返回绑定信息时,也可以返回这个IMPI所关联的所有IMPU与该UE的IP地址的绑定信息.这样做的好处是,UE连接到AS后,其后面消息有可能变化为使用其它的IMPU,因此AS需要保存该UE所有IMPU与该IP地址的对应关系。 Here, all similar entities as AS or AP application service entity, Further, it is known, a public user identity and private identity IMPI IMPU is many to one relationship between the correspondence relationship, and therefore the above two embodiments for purposes of after binding information in the HSS returns, possibly all the IMPI IMPU binding information associated with the IP address of the UE. the advantage of this is that, UE connected to the aS, the message may change it back to use other IMPU, therefore AS needs to save the mapping between the IMPU and the IP address of the UE. 当上述实施例中的AS被替换为AP时,这样的处理尤为有用,因为AP后面可以有多个AS,且由AP替这些AS完成鉴权功能,则UE向不同的AS发出请求的时候使用的IMPU很可能是不同的,这时,如果AP已经保存了该UE所有IMPU与该UE 的IP地址的对应关系,则可以迅速准确的完成其代理的鉴权的操作,而不必向HSS进4亍多次查询。 When the above-described embodiment is replaced AS AP, such a process is especially useful, because the back AP may have a plurality of AS, and the authentication function is completed by the AP for the AS, the UE sends a request to the AS when using different the IMPU is likely to be different this time, if the AP has saved the UE IMPU all correspondence between the IP address of the UE, the operation can be completed quickly and accurately in its proxy authentication without having to enter HSS 4 right foot multiple queries. 在上面两个实施例执行之前,UE和AS可以先建立基于传输层保护的传输层安全(TLS Transport Layer Security)隧道,由于TLS就是一种传输层保护协 Before the implementation of the above two embodiments, the UE and AS may establish a first transport layer based on transport layer security (TLS Transport Layer Security) tunnel, since the TLS is a transport layer for protecting the RA

议,因此在建立这个隧道后,再执行上面两个实施例中描述的基于应用层的认证过程,可以使UE和AS之间的应用层通信得到充分的安全保护。 Yee, after establishing the tunnel so, then perform the above described two embodiments of an authentication process based on the application layer, the application layer allows communication between the UE and the AS to obtain sufficient security. 以上所述实施例均是让网络侧来适应UE,即让网络側能够对2G的UE进行鉴权。 The above embodiments are adapted so that the network side UE, i.e., so that network can authenticate the 2G the UE. 当然,也可以让UE来适应网络侧,即让2G的用户加栽一软件模块, 从而使得该2G的UE能够完全地支持3G的功能,也就是使2G的UE能够支持3G的鉴权方式。 Of course, it also allows the network to adapt to UE side, i.e. 2G allows a user software module plus a plant, so that the 2G UE can fully support the 3G functionality, i.e. that the 2G UE can support the 3G authentication manner. 这样,网络侧可以仍然采用标准的3G的鉴权方式对该UE 进行鉴权。 Thus, the network side may still use the 3G standard authentication manner authenticate the UE. 该软件模块可以从网上下栽,也可以从运营商处直接获得。 The software module can be tilted downward and crashed from the Internet, it can also be obtained directly from the carrier. 以上所述实施例中的鉴权方式,既可以在2G的UE直接接入AS时应用,也可以在该接入的UE后续发送的消息中应用。 The authentication manner embodiment, may be applied when the UE 2G direct access to the AS, may be used in subsequent message sent by the UE in the access of the above embodiments. 以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The preferred embodiment of the above embodiments of the present invention only but are not intended to limit the present invention, any modifications within the spirit and principle of the present invention, the, equivalent replacement, or improvement, it should be included in the present invention. within the scope of protection.

Claims (12)

1、一种对用户终端进行鉴权的方法,适用于直接接入应用业务实体的2G用户终端,其特征在于,接入3GPP的2G用户终端已获得IP地址,且在用户归属网络服务器HSS中已保存由该2G用户终端的IP地址及其身份标识构成的绑定信息,该方法还包括以下步骤: a、2G用户终端向应用业务实体发起接入请求,该请求中包含自身的身份标识;应用业务实体根据接收到的接入请求,从HSS获取由该2G用户终端的IP地址及其身份标识构成的绑定信息,并保存该绑定信息; b、应用业务实体判断自身保存的该2G用户终端的IP地址及其身份标识的绑定信息,与发起接入请求的2G用户终端的IP地址及其身份标识的绑定信息是否相匹配,如果匹配,则该2G用户终端通过鉴权,否则该2G用户终端不能通过鉴权。 1. A method for authenticating a user terminal, a user terminal suitable for 2G direct access to the application service entity, wherein the access 3GPP 2G user terminal has obtained an IP address, and, in the user home network server HSS, saved binding information composed of the IP address and identity of the 2G user terminal, the method further comprising the steps of: a, 2G user terminal to the application service entity an access request, the request including its own identity; the application service entity an access request received, acquires from the HSS the binding information composed of the IP address and identity of the 2G user terminal, and stores the binding information; B, stored by the application service entity determines the 2G IP address binding information and the identity of the user terminal, the IP address binding information and the identity of the user terminal 2G and initiates an access request matches, if the match, then the user terminal through 2G authentication, otherwise, the user terminal can not 2G authentication.
2、 根据权利要求1所述的方法,其特征在于,所述2G用户终端发起的接入请求中还包括鉴权方式标识,所述鉴权方式标识为早期的通用鉴权框架鉴权方式时,所述应用业务实体通过执行用户身份初始检查验证的实体BSF从HSS获取该2G用户终端的IP 地址及其身份标识的绑定信息。 2. The method according to claim 1, wherein the access request initiated by the terminal user 2G further includes identifying an authentication mode, the authentication manner early identification of general authentication method is an authentication framework the application service entity by performing an initial check to verify the identity of a user entity BSF obtaining an IP address binding information and the identity of the user terminal from the 2G HSS.
3、 根据权利要求2所述的方法,其特征在于,所述应用业务实体通过BSF 从HSS获取该2G用户终端的IP地址及其身份标识的绑定信息,并保存该绑定信息的过程包括以下步骤:应用业务实体向BSF发送请求鉴权信息的消息,该请求消息中包含用户终端的身份标识,BSF接收到该请求后,根据请求中的用户终端的身份标识向HSS 请求该2G用户终端的IP地址及其身份标识的绑定信息,并将得到的绑定信息直接返回给应用业务实体,应用业务实体保存接收到的绑定信息;所述BSF向HSS请求绑定信息的消息中包含鉴权方案字段,该鉴权方案字段指示为early IMS 。 3 process, the method according to claim 2, wherein said IP address binding information and application identity service entity acquiring the 2G BSF from the HSS a user terminal, and stores the binding information comprises the steps of: transmitting the message application service entity requesting the authentication information to the BSF, the request message includes the identity of the user terminal, receiving the request BSF, according to the identity of the user terminal identifier in the request to the HSS requesting the user terminal 2G IP address and the identity of the binding information and binding information obtained directly returned to the application service entity, the application service entity stores the received binding information; the BSF binding information request message to the HSS contains authentication scheme field, the field indicates the authentication scheme for the early IMS.
4、 根据权利要求3所述的方法,其特征在于,所述BSF为早期的仅具备查询功能的Early-BSF,或支持完全3G功能且具备Early-BSF功能的BSF, 4. The method of claim 3, wherein the BSF is provided only for early query function Early-BSF, or support function and full 3G includes BSF Early-BSF function,
5、 根据权利要求3所述的方法,其特征在于,所述应用业务实体与已保存绑定信息的HSS属于相同或不同的归属网络。 5. The method of claim 3, wherein the application service entity and the HSS has saved the binding information of the same or different home networks.
6、 根据权利要求1所述的方法,其特征在于,所述2G用户终端发起的接入请求中还包括鉴权方式标识,所述鉴权方式标识为直接鉴权方式时,所述应用业务实体直接向HSS发送绑定信息请求消息,接收并保存HSS返回的该2G用户终端的IP地址及其身份标识的绑定信息。 6, The method of claim 1, wherein the access request initiated by the terminal user 2G further includes identifying an authentication mode, the authentication mode identifier direct authentication manner, the application service entity sends to the HSS directly binding information request message, receives and stores the IP address binding information returned by the HSS and the identity of the user terminal 2G.
7、 根据权利要求6所述的方法,其特征在于,所述应用业务实体向HSS 发送的请求消息由用户数据请求UDR消息承栽,且该消息中的属性信息指明请求绑定信息;HSS给应用业务实体返回的响应消息由用户数据应答UDA消息承栽,且该消息中的属性信息指明请求绑定信息。 7. The method of claim 6, wherein the application service entity sends a request message to the HSS a message requesting the user data UDR bearing plant, and attribute information of the request message indicates binding information; HSS to the application service entity a response message response returned by the planted UDA message bearing the user data, and attribute information of the request message indicates binding information.
8、 根据权利要求6所述的方法,其特征在于,所述应用业务实体与已保存绑定信息的HSS属于相同的归属网络。 8. The method of claim 6, wherein the application service entity and the HSS has saved the binding information belonging to the same home network.
9、 根据权利要求2或6所述的方法,其特征在于,所述2G用户终端向应用业务实体发起的接入请求由基于HTTP协议的请求消息HTTP GET承栽;所述请求消息中的鉴权方式标识由HTTP GET中的用户代理user agent字段承栽。 9. The method as claimed in claim 2 or claim 6, characterized in that said user terminal 2G to the application service entity an access request initiated HTTP GET request message of HTTP-based protocol supporting a plant; the request message Kam right way HTTP GET identified by the user agent user agent field bearing plant.
10、 根据权利要求1所述的方法,其特征在于,所述接入请求中的身份标识为用户公共身份标识IMPU;绑定信息为:接入请求中所包含的IMPU和该2G用户终端的IP地址的对应关地址的对应关系。 10. The method of claim 1, wherein the identity of the access request identifier is a public user identity IMPU; binding information is: included in the access request and the IMPU 2G user terminal the correspondence address correspondence relationship of IP addresses.
11、根据权利要求1所述的方法,其特征在于,该方法进一步包括:2G用户终端与应用业务实体之间建立传输层安全TLS隧道,然后再执行步骤a。 11. The method of claim 1, wherein the method further comprises: establishing a transport layer security TLS tunnel between a user terminal and application 2G business entity, then perform step a.
12、根据权利要求1所述的方法,其特征在于,所述应用业务实体为应用服务器AS或应用服务器代理AP。 12. The method of claim 1, wherein the application service entity is an application server proxy AP or application server AS.
CN 200510077476 2005-06-21 2005-06-21 Method for carrying out authentication on user terminal CN100379315C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200510077476 CN100379315C (en) 2005-06-21 2005-06-21 Method for carrying out authentication on user terminal

Applications Claiming Priority (5)

Application Number Priority Date Filing Date Title
CN 200510077476 CN100379315C (en) 2005-06-21 2005-06-21 Method for carrying out authentication on user terminal
CN 200680012306 CN101160920A (en) 2005-06-21 2006-06-21 Method and system for authenticating user terminal
EP06742203A EP1816825A4 (en) 2005-06-21 2006-06-21 A method and system for authenticating user terminal
PCT/CN2006/001416 WO2006136106A1 (en) 2005-06-21 2006-06-21 A method and system for authenticating user terminal
US11/735,541 US20070249342A1 (en) 2005-06-21 2007-04-16 Method, system and application service entity for authenticating user equipment

Publications (2)

Publication Number Publication Date
CN1802016A CN1802016A (en) 2006-07-12
CN100379315C true CN100379315C (en) 2008-04-02

Family

ID=36811707

Family Applications (2)

Application Number Title Priority Date Filing Date
CN 200510077476 CN100379315C (en) 2005-06-21 2005-06-21 Method for carrying out authentication on user terminal
CN 200680012306 CN101160920A (en) 2005-06-21 2006-06-21 Method and system for authenticating user terminal

Family Applications After (1)

Application Number Title Priority Date Filing Date
CN 200680012306 CN101160920A (en) 2005-06-21 2006-06-21 Method and system for authenticating user terminal

Country Status (4)

Country Link
US (1) US20070249342A1 (en)
EP (1) EP1816825A4 (en)
CN (2) CN100379315C (en)
WO (1) WO2006136106A1 (en)

Families Citing this family (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101030853B (en) * 2006-03-02 2010-04-14 华为技术有限公司 Method for authenticating user terminal
CN101102186B (en) * 2006-07-04 2012-01-04 华为技术有限公司 Method for implementing general authentication framework service push
CN101072326B (en) 2007-06-20 2011-12-21 华为技术有限公司 Iptv way to access non-home subscriber service provider services, systems and equipment
KR101427447B1 (en) * 2008-02-21 2014-08-08 알까뗄 루슨트 One-pass authentication mechanism and system for heterogeneous networks
US8359031B2 (en) * 2008-09-19 2013-01-22 Clear Channel Management Services, Inc. Computer based method and system for logging in a user mobile device at a server computer system
CN102917342B (en) * 2008-09-28 2015-11-25 华为技术有限公司 User equipment activity information notification method, system and network element device server
CN101715173B (en) 2008-10-06 2013-06-05 华为技术有限公司 Method, system, network element equipment and server for informing user equipment action information
CN101729578B (en) 2008-10-27 2013-01-23 华为技术有限公司 Application service access authentication method and application service access authentication agent
CN101478755B (en) * 2009-01-21 2011-05-11 中兴通讯股份有限公司 Network security HTTP negotiation method and related apparatus
KR101094577B1 (en) 2009-02-27 2011-12-19 주식회사 케이티 Method for User Terminal Authentication of Interface Server and Interface Server and User Terminal thereof
CN102238211A (en) * 2010-04-23 2011-11-09 上海博泰悦臻电子设备制造有限公司 On-vehicle communication service provision and acquisition methods and devices, and system
CN101945102B (en) * 2010-07-26 2014-07-16 中兴通讯股份有限公司 Method, server and system for authenticating IPTV (intelligent personal television) user validation based on IMS (IP Multimedia Subsystem)
EP2418817B1 (en) 2010-08-12 2018-12-12 Deutsche Telekom AG Application server for managing communications towards a set of user entities
EP2418815B1 (en) 2010-08-12 2019-01-02 Deutsche Telekom AG Managing Session Initiation Protocol communications towards a user entity in a communication network
EP2418818B1 (en) * 2010-08-12 2018-02-14 Deutsche Telekom AG Network entity for managing communications towards a user entity over a communication network
CN102469448B (en) * 2010-11-08 2016-12-28 中兴通讯股份有限公司 A kind of method, system and device of machine type communication Access Control
EP2774068A4 (en) * 2011-10-31 2015-08-05 Security mechanism for external code
EP2805450B1 (en) * 2012-01-19 2019-05-15 Nokia Solutions and Networks Oy Detection of non-entitlement of a subscriber to a service in communication networks
US20130212653A1 (en) * 2012-02-09 2013-08-15 Indigo Identityware Systems and methods for password-free authentication
CN103888415B (en) * 2012-12-20 2017-09-15 中国移动通信集团公司 The nomadic control method and device of IMS user
CN104468464B (en) * 2013-09-12 2018-07-06 深圳市腾讯计算机系统有限公司 verification method, device and system
CN104753872B (en) * 2013-12-30 2018-10-12 中国移动通信集团公司 Authentication method, authentication platform, business platform, network element and system
CN106599622A (en) * 2016-12-06 2017-04-26 福建中金在线信息科技有限公司 Method and device for filtering application software interface program
CN109756450A (en) * 2017-11-03 2019-05-14 华为技术有限公司 A kind of methods, devices and systems of Internet of Things Network Communication

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE10116547A1 (en) * 2001-04-03 2002-10-10 Nokia Corp Registration of a terminal in a data network
US20030159067A1 (en) * 2002-02-21 2003-08-21 Nokia Corporation Method and apparatus for granting access by a portable phone to multimedia services
GB0311006D0 (en) * 2003-05-13 2003-06-18 Nokia Corp Registrations in a communication system
DE602004015854D1 (en) * 2004-05-12 2008-09-25 Ericsson Telefon Ab L M Authentication system
GB0414421D0 (en) * 2004-06-28 2004-07-28 Nokia Corp Authenticating users
US20060020791A1 (en) * 2004-07-22 2006-01-26 Pekka Laitinen Entity for use in a generic authentication architecture
AU2006210510C1 (en) * 2005-02-04 2010-09-16 Qualcomm Incorporated Secure bootstrapping for wireless communications
US9300641B2 (en) * 2005-02-11 2016-03-29 Nokia Corporation Method and apparatus for providing bootstrapping procedures in a communication network
GB0504865D0 (en) * 2005-03-09 2005-04-13 Nokia Corp User authentication in a communications system

Also Published As

Publication number Publication date
CN101160920A (en) 2008-04-09
US20070249342A1 (en) 2007-10-25
EP1816825A4 (en) 2008-03-05
CN1802016A (en) 2006-07-12
EP1816825A1 (en) 2007-08-08
WO2006136106A1 (en) 2006-12-28

Similar Documents

Publication Publication Date Title
CN102027713B (en) Providing trigger based traffic management
JP4567752B2 (en) Method and apparatus for handling emergency calls
CN1792104B (en) Service provisioning in a communication system
ES2432143T3 (en) Provision of services in a communications system
US8392582B2 (en) Method and apparatuses for making use of virtual IMS subscriptions coupled with the identity of a non SIP compliant terminal for non-registered subscribers
CN101023700B (en) User registration in a communication system
EP1847076B1 (en) Methods, systems, and computer program products for supporting database access in an internet protocol multimedia subsystem (IMS) network environment
CN101589638B (en) Providing interaction management for communication networks
US20030154400A1 (en) Method and network element for providing secure access to a packet data network
CN1278519C (en) Method for noticing terminal ability variation to network
CN101617517B (en) Group access to ip multimedia subsystem service
CN1647490B (en) Communication system and method
KR101503569B1 (en) Creating a globally unique identifier of a subscriber device
CN100542321C (en) Multiple registration of a subscriber in a mobile communication system
EP1892897B2 (en) A cross-domain routing control method
US10237726B2 (en) Method of implementing UE capability exchange and route control for parallel IMS and CS services
ES2687988T3 (en) Method and element for service control
CN1640156B (en) Communication node architecture
US8276197B1 (en) Cascading network login
CN100367820C (en) Subscriber registrations in mobile communication system
ES2371109T3 (en) System and appliance for cs mobile users to access the ims network and the registration method for access.
CN1998182B (en) Mobile network having IP multimedia subsystem (IMS) entities and solutions for providing simplification of operations and compatibility between different IMS entities
CN101299712B (en) System and method for originating a sip call via a circuit-switched network from a user equipment device
CN101766013B (en) System and method of providing services via peer-to-peer-based next generation network
CN100372338C (en) Method for realizing local business in IP multimedia sub-system

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C14 Granted